[Pkg-openssl-changes] r706 - in openssl/branches/wheezy/debian: . patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Wed Dec 31 12:46:33 UTC 2014 

Author: kroeckx
Date: 2014-12-31 12:46:33 +0000 (Wed, 31 Dec 2014)
New Revision: 706

Added:
   openssl/branches/wheezy/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch
Modified:
   openssl/branches/wheezy/debian/changelog
   openssl/branches/wheezy/debian/patches/series
Log:
Fix CVE-2014-3569


Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog	2014-12-31 12:43:43 UTC (rev 705)
+++ openssl/branches/wheezy/debian/changelog	2014-12-31 12:46:33 UTC (rev 706)
@@ -5,8 +5,10 @@
     It can also be enabled again by setting OPENSSL_ALLOW_SSLv3 in the
     environment to anything.
     This fixes the POODLE issue (CVE-2014-3566).
+  * Fix CVE-2014-3569.  We're not affected by it since we don't build with
+    the no-ssl3 option (yet).
 
- -- Kurt Roeckx <kurt at roeckx.be>  Wed, 31 Dec 2014 13:32:39 +0100
+ -- Kurt Roeckx <kurt at roeckx.be>  Wed, 31 Dec 2014 13:45:07 +0100
 
 openssl (1.0.1e-2+deb7u13) wheezy-security; urgency=medium
 

Added: openssl/branches/wheezy/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch	                        (rev 0)
+++ openssl/branches/wheezy/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch	2014-12-31 12:46:33 UTC (rev 706)
@@ -0,0 +1,44 @@
+From 392fa7a952e97d82eac6958c81ed1e256e6b8ca5 Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt at roeckx.be>
+Date: Tue, 21 Oct 2014 20:45:15 +0200
+Subject: [PATCH] Keep old method in case of an unsupported protocol
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
+the method to NULL.  We didn't used to do that, and it breaks things.  This is a
+regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c.  Keep the old
+method since the code is not able to deal with a NULL method at this time.
+
+CVE-2014-3569, PR#3571
+
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/s23_srvr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
+index 38960ba..858420d 100644
+--- a/ssl/s23_srvr.c
++++ b/ssl/s23_srvr.c
+@@ -615,12 +615,14 @@ int ssl23_get_client_hello(SSL *s)
+ 	if ((type == 2) || (type == 3))
+ 		{
+ 		/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+-                s->method = ssl23_get_server_method(s->version);
+-		if (s->method == NULL)
++		const SSL_METHOD *new_method;
++		new_method = ssl23_get_server_method(s->version);
++		if (new_method == NULL)
+ 			{
+ 			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ 			goto err;
+ 			}
++		s->method = new_method;
+ 
+ 		if (!ssl_init_wbio_buffer(s,1)) goto err;
+ 
+-- 
+2.1.4
+

Modified: openssl/branches/wheezy/debian/patches/series
===================================================================
--- openssl/branches/wheezy/debian/patches/series	2014-12-31 12:43:43 UTC (rev 705)
+++ openssl/branches/wheezy/debian/patches/series	2014-12-31 12:46:33 UTC (rev 706)
@@ -73,4 +73,4 @@
 Fix-for-session-tickets-memory-leak.patch
 Fix-no-ssl3-configuration-option.patch
 disable_sslv3.patch
-
+Keep-old-method-in-case-of-an-unsupported-protocol.patch

More information about the Pkg-openssl-changes mailing list